Back to skill
Skillv1.0.2
ClawScan security
Claw Portfolio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 11:43 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and runtime behavior are consistent with a local portfolio tracker: it stores data in a local file and fetches public price/dividend data from Yahoo Finance and CoinGecko, and it does not request unrelated credentials or privileged access.
- Guidance
- This skill appears coherent and implements the described portfolio CLI + optional web UI. Before installing: (1) be aware npm install will pull a large dependency tree (Next.js, React, etc.) — if you only need the CLI you can review package.json and remove the web UI deps or run the script with a minimal environment; (2) the tool stores data locally at data/portfolio.json in the project directory — back it up if needed and don't run the project from a directory with sensitive files; (3) it makes outbound calls to public APIs (Yahoo Finance, CoinGecko) to fetch prices/dividends, so expect network traffic; (4) if you want least risk, inspect the repository locally or run it in a container/isolated environment before linking globally. No credentials are requested by the skill.
Review Dimensions
- Purpose & Capability
- okName/description (portfolio tracker with CLI + optional web UI) match the provided files and runtime commands. The code implements CLI commands and an optional Next.js web UI, uses Yahoo Finance and CoinGecko for prices/dividends, and stores data locally in data/portfolio.json. The presence of Next.js/React in package.json is justified by the optional web UI documented in SKILL.md.
- Instruction Scope
- okSKILL.md instructs only to run npm install, optionally npm link, and to invoke the CLI via npx tsx portfolio.ts. The instructions and code operate on local paths (data/portfolio.json) and call only public price/dividend APIs. There are no instructions to read unrelated system files, environment variables, or to exfiltrate data to unexpected endpoints.
- Install Mechanism
- noteThere is no custom install spec (instruction-only), so installation is the normal npm install of the bundled project. That will pull a substantial dependency tree (Next.js, React, tsx, many packages) which is expected given the included web UI, but is heavier than a minimal CLI-only tool. No downloads from arbitrary URLs or extract steps are present.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not attempt to access any secrets or unrelated config paths. It does make outbound requests to public APIs (Yahoo Finance and CoinGecko) which is reasonable for price/dividend data and proportional to its purpose.
- Persistence & Privilege
- okThe skill does persist its own data to data/portfolio.json within the project directory. It does not request always:true, does not modify other skills or system settings, and does not request elevated privileges. Optional npm link (global CLI) is user-controlled and documented.